Apache mod_negotiation is enabled

Description

Kayran has found that mod_negotiation is enabled on your Apache.
mod_negotiation is an Apache module which is responsible for selecting the document that best matches the clients set of capabilities, from one of several available documents.
If a certain user uses an invalid accept header, the server will response with a 406 error which might contain directory listing.

All of it, can lead to the possibility of attackers learning more about their targets.
For example, it can help an attacker to find backup files, generate credentials and so on.

Recommendation

Simply disable the MultiViews directive from the Apache’s configuration file and restart Apache so the changes will take effect.

References

https://httpd.apache.org/docs/2.4/mod/mod_negotiation.html

< Return to all Vulnerabilities

Blue Team

We’ve talked about The Red Team before, but what about The Blue Team? How is this group different from the red one? Why would we

Read More »